CertificateException with async-http-client for https

Question

I started having problems accessing a https://ws.plimus.com/ with async-http-client a few days ago. I get a "General SSLEngine problem" messages, and in the stack trace I can see it is caused by

java.security.cert.CertificateException: Certificates does not conform to algorithm constraints

This SO question describes basically the same thing. Commenting out the line in java.security makes the error go away, but I assume there is good reason for MD2 to be disabled.

Using Raman's answer for hints, I found that indeed, the async-http-client library uses the X509TrustManager interface, but there's not much I can do to change that.

Running this:

openssl s_client -showcerts -connect ws.plimus.com:443 | grep -i md2

finds nothing, so I don't even know which certificate is causing the issue.

Is there something I can do, other than the workaround?

I put demo code that reproduces the problem on github.

Answer 1

The server you mentioned does indeed use the same Verisign Class 3 cert with the md2WithRSAEncryption algorithm that I described in my other answer:

openssl s_client -showcerts -no_ign_eof -connect ws.plimus.com:443
CONNECTED(00000003)
... [ stripped ] ...
 3 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
-----BEGIN CERTIFICATE-----
MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do
lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc
AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k
-----END CERTIFICATE-----

and then converting that certificate to text form:

openssl x509 -text -noout < cert.pem
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            70:ba:e4:1d:10:d9:29:34:b6:38:ca:7b:03:cc:ba:bf
    Signature Algorithm: md2WithRSAEncryption
        Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
        Validity
            Not Before: Jan 29 00:00:00 1996 GMT
            Not After : Aug  1 23:59:59 2028 GMT
        Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
... [ stripped ] ...

Perusing the javadocs for async-http-client, it looks like you can call setSSLContext when building an instance of AsyncHttpClientConfig:

https://github.com/AsyncHttpClient/async-http-client/blob/master/api/src/main/java/org/asynchttpclient/AsyncHttpClientConfig.java#L841

So, you can create your own SSLContext with the X509ExtendedTrustManager and configure the async http client library to use it, instead of its internal default. That should solve your problem!

Here is a Gist which contains the SSL test code I used to debug this issue. You can easily extract from this what you need to create your own SSLContext: https://gist.github.com/rocketraman/8312705.